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Abstract — Fundamental limits of secret-key agreement over 
reciprocal wireless channels are investigated. We consider a 
two-way block-fading channel where the channel gains in the 
forward and reverse links between the legitimate terminals are 
correlated. The channel gains between the legitimate terminals 
are not revealed to any terminal, whereas the channel gains of the 
eavesdropper are revealed to the eavesdropper. We propose a two- 
phase transmission scheme, that reserves a certain portion of each 
coherence block for channel estimation, and the remainder of the 
coherence block for correlated source generation. The resulting 
secret-key involves contributions of both channel sequences and 
source sequences, with the contribution of the latter becoming 
dominant as the coherence period increases. We also establish 
an upper bound on the secret-key capacity, which has a form 
structurally similar to the lower bound. Our upper and lower 
bounds coincide in the limit of high signal-to-noise-ratio (SNR) 
and large coherence period, thus establishing the secret-key 
agreement capacity in this asymptotic regime. Numerical results 
indicate that the proposed scheme achieves significant gains 
over training-only schemes, even for moderate SNR and small 
coherence periods, thus implying the necessity of randomness- 
sharing in practical secret-key generation systems. 



I. Introduction 

Physical layer can provide a valuable resource for enhancing 
security and confidentiality of wireless communication sys- 
tems. One promising method that has received a significant 
interest in recent years (see e.g., lfTl- lF20l and the references 
therein) is the generation of a shared secret key using channel 
reciprocity. When the terminals use identical carrier frequen- 
cies, a physical reciprocity lETl exists between uplink and 
downlink channels, which provides a natural mechanism for 
key exchange. The terminals first transmit training signals 
to estimate the underlying channel gains, then agree on a 
common sequence using error correction, and finally distill 
a shared secret-key from this common sequence. A number of 
experimental testbeds already demonstrate practical viability 
of such methods. See e.g., 11181-11201. 

Despite this growing interest, information theoretic limits of 
secret-key agreement over wireless channels have not received 
much attention. Consider a block-fading channel where the 
channel gains are sampled once every coherence period and 
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remain constant during the coherence block. Clearly, chan- 
nel reciprocity alone achieves a rate that vanishes as the 
coherence period increases. What form of signalling within 
each coherence block maximizes the secret-key rate? To our 
knowledge, only a recent paper 12211 considers this question. 
The authors consider a separation based scheme. A portion 
of each coherence block is reserved for transmission of pilot 
symbols to estimate the channel coefficients. The remainder of 
the coherence block is used for transmission of a confidential- 
message. Unfortunately the authors observe that one cannot 
separately tune the two phases. Any rate/power adaptation 
done during the message transmission phase, leaks information 
about the channel gains to an eavesdropper and in turn reduce 
the contribution from reciprocity. As such the wiretap code 
for confidential message transmission proposed in ll22l does 
not involve any rate or power adaptation. It achieves a non- 
zero rate only if we impose that the eavesdropper's channel 
on average be weaker than the legitimate receiver's channel. 
If this condition is not satisfied, the secret-key rate achieved 
in 11221 reduces to the rate achieved using a training only 
scheme and vanishes to zero as the coherence period becomes 
large. 

In the present paper we too consider a separation based 
scheme, but substitute the confidential-message transmission 
phase with a different communication strategy — randomness 
sharing. Following the training phase, in each coherence block 
the terminals exchange i.i.d. random variables to generate 
correlated source sequences between the terminals. No power 
allocation is performed during this phase, yet it results in a 
positive secret-key rate even when the eavesdropper's channel 
is on average stronger than the legitimate receiver's channel. 
We note that the randomness sharing scheme for secret-key 
generation has been investigated in several previous works (see 
e.g., 1231 - 1281 and references therein). However to the author's 
knowledge, the present paper appears to be the first attempt 
that studies randomness sharing, in conjunction with training 
techniques, in non-coherent wireless channels. Furthermore 
our proposed scheme has several appealing features. First it 
achieves a rate that does not vanish in the large coherence- 
period limit, thus making it atnactive in this practically 
relevant regime. Secondly our proposed separation scheme 
is asymptotically optimal among all signalling schemes in 
the two-way fading channel. In particular, we also establish 
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II. System Model and Main Results 
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Fig. 1, Problem Setup. There are two legitimate terminals and one eavesdrop- 
per terminal. The legitimate terminals A and B are required to agree on a 
common secret-key. The fading gains h A B and bsA are not revealed to any 
terminals, whereas the gAE and gs e are revealed to the eavesdropper. 



an upper bound on the secret-key agreement capacity in the 
proposed setup. The upper bound expression is structurally 
similar to the lower bound expression and furthermore the 
difference between our upper and lower bound vanishes to 
zero in the limit of large coherence period and high signal- 
to-noise-ratio, thus establishing an asymptotic capacity result. 
Numerical results indicate that even for moderate SNR and 
relatively small coherence periods the gains resulting from 
randomness sharing are significant over training-only schemes. 



Our proposed model also differs from reference |22| in that 
we only assume imperfect reciprocity in uplink and downlink 
channels i.e., we assume that the channel gains in uplink and 
downlink are correlated, but not identical. In general achieving 
perfect channel reciprocity in baseband is challenging because 
different terminals use different I/Q mixers, amplifiers and path 
lengths in the RF chains. While closed-loop calibration can 
be performed (see e.g. l29l . ll30l ). such methods can become 
challenging if the calibration needs to be done in the open air. 
Hence we believe that our assumption of imperfect reciprocity 
may perhaps be more realistic in practice. Nevertheless we 
also note that our coding technique can also be applied to the 
case of perfect reciprocity, and improves upon the message 
transmission scheme 112211 . 

In other related works, an information theoretic framework 
for secure communication was pioneered by Shannon 13TI . 
The problem of secret-key generation from common random- 
ness between two legitimate terminals was introduced in l23l . 
l24l . The setup considered in these papers involves one- 
way communication channel models and a public-discussion 
channel. In followup works, secret-key agreement capacity 
over one-way fading channels with a noiseless public feedback 
link have been studied in e.g. 11321 - 1361 . References [37)- 
[39) study secret-key agreement over a channel with two- 
sided state sequence, which has application to fading channels. 
However these works do not incorporate the cost of acquiring 
channel state information which is of critical importance in 
the proposed setup. 



As illustrated in Fig. Q] we consider a setup with two 
legitimate terminals A and B and one eavesdropper E. The 
terminals A and B communicate over a two-way non-coherent 
wireless channel: 

Yb (t ) = h AB {t)x A (t ) + n B (t ) , y A (t ) = h B a (t )x B (t ) + n A (t ) , 

(1) 

Z AE {t)=gAE {t)XA (*) + n AE (t) , Z B E{t)=gBE {t)x B (*) + n B E (*) 

(2) 

where t € {1,...,N} denotes the time index, y A (t) and 
y B (t) denote the output symbols at terminals A and B and 
{z A E(t), z B E(t)} denote the output symbols at terminal E. 
The input symbols generated by terminals A and B at time t 
are denoted by x A (t) and x B (t) respectively and are required 
to satisfy the average power constraints: 

JV JV 

J2 E l\xA(t)\ 2 ]<P, ^££[M*)I 2 ]<p 
*=i *=i 

The channel gains (h AB , h BA ,g AE ,gBE) are drawn from a 
distribution p(h AB , h BA )p{g AE , g BE ) once every T consecu- 
tive symbols and stay constant over this period i.e., the channel 
gains remain constant in the interval t E [iT+ 1, (i + 1)T] for 
i = 0, 1, . . . , Tjr — 1. We assume that the channel gains h AB {t) 
and h BA (t) are not revealed to any of the terminals apriori, 
whereas the channel gains (gAE(t), g B E(t)) are revealed to 
the eavesdropper terminal. The additive noise variables are 
drawn from an i.i.d. CAf(0, 1) distribution. When computing 
the achievable rates, for convenience, we will assume that the 
channel gains are all drawn from the Gaussian CAT(0, 1) dis- 
tribution, although our results are not tied to this assumption. 

Remark 1: While we assume that the channel gains of 
the eavesdropper are independent of (h AB , h BA ), our results 
naturally extend to the case when the channel gains are drawn 
from a joint distribution p{h AB , h BA , g A E> gBE)- Also note 
that the eavesdropper observes the transmission from the two 
terminals A and B over non-interfering links. An eavesdropper 
who observes a superposition of the two signals can only be 
weaker than the proposed eavesdropper. 

Definition 1 (Secret-Key Capacity): A feasible secret-key 
generation protocol is defined as follows. Terminals A and 
B sample independent random variables m A and m B from 
a product distribution p(m A )p(m B ). At time t, terminals A 
and B generate the symbols x A (t) = / J 4( m A I yl _1 ) an d 
x B (t) = f B (m B , yjj -1 ). At the end of N channel uses, 
the terminals A and B generate secret keys k A and k B 
respectively using the functions k A = K, A {y A , m A ) and 
k B = IC B (y B , m B ). We require that Pr(k A ^ k B ) < en 
and furthermore jjI{k A ; z N , g K ) < sn for some sequence 
En that goes to zero as N — > oo. The largest achievable rate 
R = jjH(k A ) is denoted as the secret-key capacity. □ 

As our main result, we establish upper and lower bounds on 
the secret-key capacity for the two-way non-coherent channel 
model. 
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Fig. 2. Separation-based approach for secret-key generation. In each coherence 
block of length T symbols, the first symbol is dedicated to training and a 
power Pi is used i.e., x A (iT + 1) = xs(iT + 1) = y/Pi. The remaining 
T — 1 symbols are used for randomness generation. Each symbol is sampled 
i.i.d. CN(0, P2) in this phase. 



A. Upper Bound 

Theorem 1: An upper-bound on the secret-key capacity of 
the two-way non-coherent fading channel is, 

C<R + = ^I(h AB ;h BA )+ 

max {I(yB m ,XA\hAB,ZAE,gAE)} 

{P{h AB )}ev A B 

+ max {I(y A ]x B \h BA ,z BE ,g B E)} , (3) 

{P(Iiba)}£Vba 

where the above expression is evaluated for 

x A ~ CAf(0, P(h AB )), x B ~ CAf(0, P(h BA )), 

and the set V AB is the set of all non-negative power allocation 
functions P(h AB ) that satisfy the average power constraint 
E[P(h AB )} < P and the set V BA is defined similarly. 

Remark 2: The upper bound expression in Theorem Q] has 
a natural interpretation. The term ^I(h AB ; h BA ) is the contri- 
bution arising from reciprocal channel gains. The second term 
is the secret key rate achieved over a one way fading channel 



Yb = h AB x A + n B , z AE = g AE x A + n AE 



(4) 



and a public discussion channel in the reverse link, when 
the fading chain h AB is revealed to all the terminals and the 
channel gain g AE is revealed to the eavesdropper. Likewise the 
third term is the contribution arising from the one-way fading 
channel in the reverse link. The upper bound expression (01 
indicates that the contribution of these three terms is additive. 
□ 

The proof of Theorem Q] is provided in section [Hi] 

B. Lower Bound - Public Discussion 

Our proposed coding scheme involves a separation based 
approach. As shown in Fig. [2] the first symbol in each 
coherence block is reserved for sending a training symbol and 
a total power of P\ is used in this phase. This allows the 
terminals B and A to generate linear minimum mean squared 
error estimates of the channel gains h AB and h BA respectively 
i.e., 



h AB = ah AB + e AB 
h BA = ah BA + e BA , 



(5) 
(6) 



where 



_ Pi 



P1+1 



is the estimation coefficient, and e AB 



and e BA both have the distribution CAf (0, a (I — a)) and are 
independent of the channel gains h AB and h BA respectively. 



For the reminder of coherence block, both the terminals 
transmit i.i.d. symbols from CAf(0, P2) to generate correlated 
source sequences i.e., in coherence period i each component 
of the vector x A (i) e C T_1 is generated i.i.d. CAf (Q, P2) 
and similarly each component of the vector x B (i) is i.i.d. 
CN(Q,P2)- The corresponding received vectors are given by 

yA(i)^h BA (i)x B (i) + h BA (i),y B (i)=h AB (i)x A (i) + n AB (i). 

(7) 

At the end of K such coherence blocks, as indicated in Table [I] 
terminal A has access to (h BA , x A , y A ) whereas terminal 
B has access to (h AB ,x B ,y B ). The eavesdropper observes 

{g AE i g BE 



'■AEi 'BE)- 

TABLE I 

Correlated Source and Channel Sequences at the Terminals 



Sequence/Terminal 


A 


B 


E 


Channel Sequence 


h K 






Source Sequence - I 






Z AK 


Source Sequence - II 
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These correlated sequences are in turn used to generate a 
common secret-key by exchanging suitable public messages 
in the reconciliation phase ||23l , J24). As indicated, in this 
section we assume that these public-messages for secret-key 
generation are transmitted over an external public discussion 
channel. The resulting rate-expression is simpler and has a 
form that can be immediately compared with the upper bound. 
Subsequently we will remove this assumption and consider 
the transmission of public messages directly over the wireless 
channel. 

Theorem 2: An achievable secret-key rate when an addi- 
tional public discussion channel of arbitrarily high rate is 
available communication is given by 

RpD = t^H^ab; ^ba)+ 
T - 1 



T 
T - 1 



T 



^I(Yb;xa, h AB , h BA ) - I(yB',z AE ,g A E, h AB )\ 
|/(yA;xB, hBA, kba) — I(ya; zbe, gBE, h BA )^ 



+ 



(8) 



where we evaluate the expression for x A ~ CAT(0, P2) and 
x B ~ CAT(0, P2) and h AB and h BA are specified in © and © 
respectively and P\ and P2 are non-negative and satisfy the 
relation 



Pi + (T - 1)P 2 < TP. 



(9) 



A proof of Theorem [2] is sketched in Section [IV] 
Remark 3: The lower bound expression ^ differs in the 
following respects from the upper bound expression (f3]): (i) 
the channel gains h AB and h BA in the first term are replaced 
by their estimates h AB and h BA respectively; (ii) the second 
and third terms are scaled by a factor of (1 — i); (iii) 
in computing the second and third terms, we assume that 
the legitimate receivers have access to the channel estimates 
whereas the eavesdropper has access to perfect channel states; 



4 



(T-1). 




K Coherence Blocks 



e K 



8,K 



Fig. 3. Extension of the proposed coding scheme in absence of public 
discussion. A total of K coherence blocks are used for training and source 
emulation. Thereafter a total of e\K coherence blocks are used for transmis- 
sion of the public message associated with the channel sequences and another 
E2K coherence blocks are used for the transmission of the public message 
associated with the source sequences. 



(iv) power allocation across the channel gains is not performed 
in the lower bound expression. 

An explicit evaluation of the lower bound when that the 
channel gains h A s and hsA are jointly Gaussian, zero mean 
random variables with a cross-correlation of p is as follows. 

Proposition 1: An achievable secret-key rate when termi- 
nals A and B have access to a public discussion channel is 
given by: 



T-1 
T 



R 



P.AB 



R 



P,BA 



(10) 



where the expressions for R PT , R p AB and R PBA are given 
by: 



R 



p,t = - lo S (! - Q V ) 

P2\h AB \ 2 



(11) 



R P,AB — E 



log 1 



l + P2\gAE\ 



-log H 



Pi 



1 + 



(12) 



I? 



P,BA 



and a 



E 



log 1 



Pi\h 



BA 



l + P2\gBE\ 



log 1 



Pi 



l + Pl 



(13) 

□ 



The proof of Prop. Q] is provided in section IIV-DI 



C. Lower Bound - No Discussion 

When a separate discussion channel is not available, we use 
the communication channel for sending the public messages 
during the key-generation step as illustrated in Fig. [3] We 
also need to quantize the source sequences to satisfy the rate 
constraint imposed by the channel. 

Theorem 3: An achievable secret-key rate in the absence of 
public discussion for the two-way reciprocal fading channel is: 



R- 



1 + ei +£2 \T 



T - 1 



T 



-Ru 



(14) 



We provide the expressions for Ri and Ru below, both of 
which depend on e\ and £2. 

Rj = I(u AB ; h BA )+I{u BA ; h AB )-I(u A B] u B a) (15) 



where the random variables uab and u B a satisfy the Markov 
chain 

UAB -> "AB -> h B A -> U B A, (16) 

and the rate constraints 

I(u AB ; h AB \h BA ) < (T — l) eiJ R NC (P), (17) 
I{u B a; h BA \h AB ) <{T — l) £l R NC {P), (18) 

where R^c{P) is an achievable rate for the non-coherent 
block fading channel (see e.g., l40l ). 

The rate expression for Ru is expressed as Rjj = i?AB + 
i?g A , where 

-^ab = P\vb\xa, u) - I(v B ;z AE ,g AE , h AB ), (19) 
-^ba = PyV A ;x B ,u) - I{v A ;z B E,gBE,h BA ) (20) 

where the random variable u = (u A b, Ub A )- The random 
variables v A and vb in < [2Qb and ( fl9] l satisfy the following 
Markov Conditions 



V A ^ Ya ^ (u,x B ), V B 
as well as the rate constraints: 



(u,x A ). 



(21) 

(22) 
(23) 

□ 

A proof of Theorem |3] appears in section [V] 
We further evaluate the rate expression in Theorem [3] for a 
Gaussian test channel: 



I(v A ;y A \u,x B ) < £2-Rnc(P), 
I(v B ;yB\u,x A ) < e 2 RNc(P)- 



U A B = h A B + q A B, U B A = hBA + Qba 



(24) 



where qAB, Qba ~ CAf(0, Qi) are Gaussian random variables 
independent of all other variables. Similarly we let 



va = YA + w A , v B = Yb 



w B 



(25) 



where w a ,wb ~ CAT(0, Q2) are Gaussian random variables 
independent of all other variables. 

Proposition 2: An achievable secret-key rate in the absence 
of public discussion for the two-way reciprocal fading channel 
is given by: 



R- 



1 



1 / x T 



1 



-Rn(s 2 ,P2)> (26) 



l+£l+£2 [T T 

where Pi and P 2 are non-negative and satisfy (0 and E\ and e 2 
are non-negative constants that will be specified in the sequel. 
The rate expressions R\ and R\\ are as follows. 




(27) 



where a = 1+p and Q\ satisfies 
■o g M + °< 1 -° V) 



< ei Ti? NC (P). 



(28) 
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The expression for i?n satisfies 



log 1 



R AB (e 2 ,P 2 )=E 



(29) 



P2\h AB \ 



R- BA {e 2 ,P2)=E 



los 



Iogl 



(i + Q 2 )(l 

1 + Q 2 



^Ig-Asl 2 ) 



P2\h BA \ 



{l + Q2)(l+P 2 \gBE\ 2 ) 



lO! 



V1 + Q2 



where 



2 

O AB 



and Q2 satisfies 
log [ 



' BA 



T AB P 2 



1 - 



(31) 
(32) 

(33) 
□ 

A proof of Prop. [2] appears in section [V-Hl 

Remark 4: The rate achieved in Prop. [2] reduces to the 
rate achieved using public discussion in Prop. [T] when we 
take Qi = Q 2 — 0. In particular when Qi = note that 
the expression for Ri in d27| i immediately reduces to ( fTOl ). 
Furthermore d32l reduces to 



Q2 



1 



MS 



'BA 



1 + Pl 



(34) 



Substituting Q 2 = 0, and OUi in and (ED we obtain (fT2l 
and (foi l respectively. Thus the rate expressions in Prop. |2] are 
consistent with the expressions in Prop. Q] when quantization 
(c.f. (124-b and d25l )) is not introduced. 

We also observe that the upper and lower bounds are close 
in the high signal-to-noise-ratio (SNR) regime. 



Corollary 1: In the high SNR regime the upper and lower 
bounds satisfy the following relation: 



lim R+(P) - i?p D (P) = i 7 

P—>oo 1 

lim R+{P)-R-{P) = i 7 

P— >oo J 



(35) 
(36) 



(30) where R + , i? PD and i? are given by ©, ( TTOt and 



respectively and 



log 1 



log 1 



'i3yt I 



\gBE\ 



(37) 



is a constant that only depends on the distributions 

p{hAB)p{gAE) and p(h B A)p(gBE)- 

A proof of Corollary Q] appears in section I VII 

Numerical Comparison: 

Fig.|4]shows the bounds on secret-key capacity as a function 
of SNR when the coherence period T = 10. Fig. [5] shows the 
bounds as a function of the coherence period T when SNR = 
35 dB. In Fig. [4] we fix the correlation coefficient in uplink 
and downlink gains to p = 0.95 while in Fig. [5] it is fixed to 
p = 0.99. 

We make several observations in these plots. The lowermost 
plot in both figures corresponds to the best rate any training 
based scheme can achieve i.e., 



R 



training 



^log(l-p 2 ) 



(38) 



In computing ([38} we assume that the legitimate receivers have 
a genie-aided side information of the respective channel gains 
and furthermore no overhead arising from the transmission 
of public messages is considered. In Fig. [4] this rate is SNR 
independent and in Fig. [5] it decreases to zero as y. 

The upper-most plot in Fig. |4] and Fig. [5] is the upper 
bound on the secret-key agreement capacity for any scheme. 
We note that for small values of T the contribution from 
channel-reciprocity term in (0 is dominant. As T increases 
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the contribution of this term diminishes and the contribution 
from the communication channel increases (c.f. (01). 

The remaining two plots are the lower bounds with and 
without public discussion. The lower bound with public 
discussion does not involve the overhead of transmitting a 
public message. For sufficiently high SNR, it approaches the 
upper bound. The lower bound without public discussion does 
not come close to the upper in the SNR range of interest. 
Nevertheless it achieves a much higher rate than the training 
based schemes. 

III. Proof of TheoremQ] 

In this section we provide a proof of TheoremQ] We assume 
that the communication is over a total of K coherence blocks 
and let N = T ■ K denote the total number of channel uses. 
Thus the channel state-sequences are of length K whereas 
the channel input and output sequences are of length N. We 
use the notation h AB to denote the channel state sequence 
of length K and the notation x A to denote a channel input 
sequence of length N. For the eavesdropper, we use the the 
notation z N 4 (z% E ,z» E ) and g* 4 {gf E ,g« E ). 

From the Fano's inequality and the secrecy constraint we 
have that 



NR < I(k A ; Are) - I{k A \ z iv , g A ) + 2ne 



< J(/c A ;/c B |z J \g 



2ne r , 



(39) 
(40) 



where e n — s- as n — > oo. In the following steps the 
term e n will be suppressed. Since k A = fA(mA,y A ) an d 
kg = f B (m B , y B ), using the data-processing inequality and 
the chain rule of mutual information, we have: 

NR < I(m A ,h^ A , y ^,m B ,h^ B ,y^\z N ,g K ) 
= I(m Al h B ; A ,y%;m Bl hK B ,y B ! - 1 \z N , g K )+ 

I(m A , h^ A ,y^,y B (N)\z N , g K , m B , h^y^ 1 ) 
= I(m A ,h^ A ,y^;m B ,h^ B ,yS- 1 \z N ,g K )+ 

I(y A (N);m B ,h« B ,y^ 1 \z N ,g K ,m A ,h I < A ,y%- 1 )+ 

I(m Al h^ A ,y^- 1 ;y B (N)\z N ,g K ,m B ,h^ Bl y^- 1 ) + 

IiyAmyBmzVpiBth^y^^h^y"- 1 ). 

(41) 

We bound each of the four terms in (PiTT i. We show that the 
following condition holds 

l{m Al h BA ,y A ;m B ,h AB7 y B \z ,g ) 

^ ti_ L.K ,,N—l. „ U< „JV-l|_iV-l „K\ / A o\ 

< l(m A ,h BA ,y A ;m B ,h AB ,y B \z ,g ) (48) 

in the steps between d42T > and ( |47] i on the top of next page. 
Note that (|43T > follows from the fact that x A (N) is a function 
of (m A , y A _1 ) and furthermore z A e(N) is independent of 
all other random variables given (x A (N), g A E{N)) (c.f. (f2|i). 
Eq. d47l i similarly follows because x B (N) is a function of 
(m B , y B -1 ) and furthermore z BB (N) is independent of all 
other random variables given (x B (N), g BB (N)). 

Furthermore, since (y A (N), z BB {N)) are independent of all 
other random variables given (x B (N), h BA (N), g BB (N)) we 
can show that 



I(y A (N);m B ,h^ B ,y^ 



.N-l\ N 



g 



, m A,n BA ,y A ) 



< I(y A (N);x B (N)\z BE (N),g BE (N),h BA (N)). (49) 
and likewise 

/V™ uK „N— 1. ,, / ATW-.N „K _ l,K ,,N-1\ 

l{m A ,h BA7 y A ;y B (N)\z ,g ,m B ,h AB ,y B ) 

< I(x A (N);y B (N)\z AE (N),h AB (N),g AE (N)). (50) 

Finally using the fact that x A (N) and x B (N) are functions of 
(m A , y BA x ) and ( m B , y AB 1 ) respectively and the fact that 
y A {N) is independent of all other random variables given 
(x A (N), h AB (N)) and similarly y B (N) is independent of all 
other random variables given (x B (N), h BA (N)) we can show 
that 

I(y A (N)- y B (N)\z N , g K f"B, h« B , y^-> A , h% A y^) 
= 0. (51) 

Thus substituting (gSJl, (|49j and d50]l into (HTJ we have that 



NR < I( m A , h% A , y J 2 - 1 ; m B , h AB , y* 



,N-l\ r .N-l „K 



+ I{y A {N); x B (N)\z BE {N) 7 g BE {N) 7 h BA (N)) 

+ I(x A (N) ; y B (N)\z AE (N) , h AB (N) , g AE (JV)) (52) 

Recursively applying the same steps we have that 



NR<I(m A ,h^ A ;h^ B ,m B \g K )+ 

N 

^2 I(x B (i); y A (i)\z BE (i), g BE (i), h BA (i))~ 



i=l 
N 



^I(x A (i)\y B (i)\z AE (i) , g AE (i) , h AB (i) ) (53) 



KI(h BA ; h AB ) 



N 



^2 I(x B (i); y A (i)\z BE (i), g BE (i) 7 h BA (i)) + 

i=l 
N 

^2l(x A (i);y B (i)\z AE (i), g AE (i) , h AB (i)) 



(54) 



where in ( |54] i we use the fact that ( m A , m B ) are mutually 
independent and independent of the channel gains and further- 
more (h AB , h BA ) are independent of g K . Finally to establish 
the upper bound (01 suppose that we assign a power Pi(h AB ) 
when the channel gain at time i equals h AB . Using the fact 
that a Gaussian input distribution maximizes the conditional 
mutual information terms in (|54l l (see e.g., BP ) we have: 



I(x A (i);y B (i)\z AE (i) , g AE (i) , h AB (i)) 

( Pi(h AB )\h AB \ 2 
log 1 



l + Pi(h AB )\g AE \2 

Thus we have that 

N 

^2 I ( x A{i); yEs{i)\z AE {i), g AE {i), h AB (i)) 



(55) 



N 

<Y. E 



log 1 



E 



N 



£iog i + T 



P l (h AB )\h AB \ 2 
l + Pi(h AB )\g AE \ 2 

Pi(h AB )\h AB \ 2 
+ P l (h AB )\g AE \ 2 



(56) 
(57) 
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I{m A ,h« Al yZ^ ]mB ,h« B ,y^\z\^) (42) 

<I(m A ,h§ A ,y^-\z AE (N);m B ,h^ B ,y^-\z BE (N)\z N - 1 ,g K ) (43) 
= I(m A ,h§ A ,y»- x -,m B ,h^,y»-\z BE (N)\z»-\tF) 

+ I{z AE {N); m B , h^ B ,y^- 1 ,z BE (N)\z N -\g K , m A , h^ A , y^ 1 ) (44) 

= I(m A ,h§ A , y ^- 1 ;m B ,h^ B ,y^- 1 ,z BE (N)\z N -\g K ) (45) 

r/_ ,,JV-1. _ Lis" ,.iV-l|_jV-l „if\ , r/_ ,JV-1. ^ /A,\|_/y-l „AT _ tif ,,AT-1\ (/1 -r^ 

= l{m A ,h BA ,y A ;m B ,h AB ,y B \z ,g ) + 1 [m A , h BAl y A ■ : z BE (N)\z ,g ,m B ,h AB7 y B ) (46) 

= l{mA,h BA ,y A ;m B ,h AB ,y B \z ,g ) (47) 




^Ei=l P »( /? As)|/' J 4B| 



P(h AB )\h AB \ 2 



I + P{h AB )\gAE\ 2 

NI(x A ;y B \z AE ,g AE , h AB ) 



(58) 

(59) 
(60) 



where P{h AB ) = X)»=i Pii^As) is the average power 



allocated when the fading state equals h AB and d58l uses the 
fact that the function f(x) = log fl + j-ffa j * s a concave 
function in .t and hence Jensen's inequality applies. Also note 
that 

N 



E[P(h AB )} = E 



i=l 

i=l 
1 W 

< -Vp, 

- AT 1 



< P. 



(61) 
(62) 
(63) 



In a similar fashion we can show that 

N 



V I(x B (i) ; y A (i) \z BE (i) , g BE (i), h BA (i)) 
P(h BA )\h BA \ 2 



log 1 



(64) 
(65) 



l + P(^)|gBB| 2 

= NI{x B ;y A \z BE ,g BE ,h BA ) 

The upper bound (O follows by substituting in d60t and 
into (l54l . This completes the proof of Theorem [T] 



IV. Proof of Theorem [2] 

We sketch the coding scheme associated with Theorem [2] 
where we assume the availability of a public discussion chan- 
nel. In our proof we assume that the channel input and output 
symbols as well as the fading gains are discrete valued. We do 
not address the discretization of these random variables in this 
section; it will be addressed in the proof of Theorem [3] when 
we do not assume the availability of a discussion channel. 

A. Generation of Correlated Source Sequences 

In each coherence block we reserve the first symbol for 
transmission of a pilot symbol 



x A {iT + 1) = x B {iT + 1) 



'Pi 



N 



1. (66) 



and the remainder of the symbols for transmission of i.i.d. 
random variables i.e., 



x A (t) ~ p XA (-),x B (t) 



Px fl (0.Vt 6 [l,N],t^iT+l. 

(67) 



The legitimate receivers B and A use the corresponding 
output symbols y B (iT + 1) and y A (iT + 1) for estimating the 
underlying channel gains h AB (i + 1) and h BA (i + 1) in (01 
and © respectively. 

We use the bold-font notation x A (t) to denote the sequence 
of T — 1 i.i.d. symbols transmitted in coherence block t. and 
let y B (t) denote the corresponding output symbol vector in 
block t. The source sequences at the terminals at the end of 
K coherence blocks are indicated in Table U 



B. Information Reconciliation 

Terminals A and B exchange public messages over the 
discussion channel to agree on identical sequence pair 
{h AB ,h BA ,y AB ,y BA ). The public messages transmitted are 
as follows (i) Terminal A bins the sequences {h BA } into 
2K(H(h BA \h AB )+ E ) bins and transm i ts t he associated bin 
index <fr A over the discussion channel, (ii) Terminal B 
bins the sequences {h AB } into 2 K ^ H ^ hAB ^ hBA ^ +e ^ bins and 
transmits the associated bin index <f> B over the discussion 
channel, (iii) Terminal A bins the sequences {y^} into 
2K(H(y A \x B M AB M BA )+s) and transmits the associated bin index 
ip A over the discussion channel, (iv) Terminal B bins the 
sequence {yf } into 2 K (H{y B \* A ,h AB ,h BA )+e) and transmits the 
associated bin index ip B over the discussion channel. 

Using standard arguments (see e.g., Il42l Chap. 10]) Termi- 
nal A can reconstruct the sequence pair (h AB , y B ) (with high 
probability) given the messages (4>b,iPb) and its side infor- 
mation (h BA ,x A ). Terminal B can reconstruct the sequence 
pair (h BA ,y A ) (with high probability) given the messages 
('^AjV'a) an d its side information sequence (h AB ,x B ). Thus 
at the end of this phase both terminals have access to the com- 
mon sequence pair (y A , y B , h AB , h BA ), The eavesdropper has 
access to (z K , g x , 4> A , <f> B , ipA, ^b)- 
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C. Equivocation Analysis 

We lower bound the equivocation at the eavesdropper as 
follows: 

Ulc.K c.K i>I< I.K \=K 



■,4>a,4>b^a,^b) 
= H(y%, yf , h« B , h« A \z K , g K ) H{ct> A ) - H(cb B ) 

= HChZs, h* A ) + H(y%, yf \z K , g K , ~h% B , h% A ) 



IK 



-H{(j> B )-H{^ A )-H^ B ) 



> H(h AB , h BA ) + H(tt , n K , , h% A ) 

- H{<t> A ) - H{<p B ) - H(ifj A ) - Htyg) 
=H (h%, h« A )+H{sl |zf , g* E , h* A ) 

+H(y^,g^ E ,h^ B ) 

- H(<f> A ) - H(<j> B ) - H(i> A ) - H{ij} B ) 
= KH(h AB , h BA ) + KH(y A \z B ,g BE , h BA ) 

+ KH(y B \z A ,g AE , h AB ) 

- H{4> A ) - H{<t> B ) - H{ip A ) - Htyg) 



(68) 
(69) 

(70) 

(71) 



where we use the chain rule of entropy and the fact that 



m 



we 



(h AB , h BA ) is independent of (z , g ) in 
use the fact that conditioning reduces entropy as well as h AB 
and h BA are independent of the remaining variables gives h AB 
and hg A respectively; in ( l70b we use the fact that x A and xf 
are sampled independently and hence the following Markov 
conditions hold: 



y K A -> (zf t g* E , h% A ) -+ (yf ,g% E , h%) (72) 
yf -+ {z«,gf E , h K AB ) -+ (y A , Sbe-i h^ A ); (73) 

Eq. (TnT i follows from the fact that the sequence pair 
(h AB , hl A ) is sampled i.i.d. and furthermore x A and xf are 
also sampled i.i.d. Furthermore, 

KH(h AB , h BA ) - H{4> A ) - H{cp B ) 
> KH(h AB , h BA ) - H(h BA \h AB ) - H{h AB \h BA ) 

= KI(h AB ; h BA ) ~ *Ke. 



AKe 
(74) 

(75) 



Combining (|75j, d78) and (J79j we obtain that 

H{yl,y^,hl B ,h^ A \z K ,g K ^a^b^a^b) 
> KI{h AB ; h BA ) - 4Ke - 4Ke' 

+ K(T - l){/(yA; x B , h A B, h BA )-I(y A ] z B ,g BE , h BA )-2e'} 

+ K(T - 1) {l(y B ;x A , h AB , h BA )-I(y B ;z A ,g AE , h AB )-2s'\ 

(80) 

In the final step, the equivocation lower bound in ( f80b can 
be used to generate a secret-key. The associated construction 
is discussed in section W-G\ when we consider the case without 
a public discussion channel. We omit the details as they are 
completely analogous. 

D. Proof of Prop. [7J 

We evaluate the rate expression <[8j in Theorem |2] by 
selecting x A ~ CW(0, P 2 ) and x B ~ CW(0,P 2 ). Note that 
the MMSE estimates of h AB and h BA can be expressed as 

h AB =ah AB + e AB (81) 
h BA = ah BA + e BA (82) 

where a = p i_i is me linear MMSE coefficient and 
e A B , e BA ~ a(l — a)) are mutually independent and 

independent of (h AB , h BA ). 

Thus h AB and h BA are jointly Gaussian random variables 
with E[\h AB \ 2 } = E[\h BA \ 2 } = a and E[h AB h BA ] = 
a 2 E[h AB h BA \. Hence one can show that 

l(h AB ; h BA ) = - log (1 - a 2 p 2 ) • (83) 
To compute the remaining terms in ([8]l note that 

I(Ya;xb, hAB, h BA ) - I(y A ; z B ,g BE , h BA ) 

> h(y A \z B ,g BE , h BA ) - h(y A \x B ,h AB , h BA ) (84) 

> h(y A \z B ,gBE, h BA ) - h(y A \x B , h BA ) (85) 
The since x B ~ CJV(0, P2), the first-term can be evaluated 



Using the fact that x A is sampled i.i.d. in ([77) and letting h{y A \z B ,g BE ,h BA ) - E 



e = we have 
KH(y A \z B ,g BE , h BA ) - H(i/ja) 

> KH(y A \z B ,g BE , h BA ) - KH(y A \x B , h AB , h BA ) - 2Ke 

(76) 

=K(T - 1) \H{y A \z B ,g BE , h BA )-H(y A \x B ,h AB , h BA )-2e'} 

(77) 

= K(T- l)^I(y A ; x B ,h AB ,h BA )-I(y A ; z B , g BE , h BA )-2e'} . 

(78) 

In a similar fashion we can show that 
KH(y B \z A ,g AE , h AB ) - H(ip B ) 

> K(T - 1) U{yB] x A ,h AB ,h BA )-I{yB-, z A , g AE , h AB )-2e 



\og2ne I 1 



P 2 \h BA \ 



l+P2\g BE \ 2 



(86) 



To evaluate the second term we introduce h BA = h BA — 
h BA . Note that since h BA is the MMSE estimate of h BA , we 
have that h BA ~ CAf(0, 1+ 1 Pi ) and hence 



h(yA\x B , h BA ) < h(y A - h BA x B ) 
= h(h BA x B + z B ) 

< log 2ne ( 1 



Po 



1 + P1 



(87) 
(88) 

(89) 



'} 



where we use the fact that conditioning reduces the differential 
entropy in d88l and that Gaussian distribution maximizes 
entropy among all distributions with a fixed variance in (|89l ). 
From (f85l, and d89ll we have that 



(79) P P BA = I(y A ;x B , h AB , h BA ) - I(y A ;z B ,g BE , h BA ) (90) 



9 



E 



log 1 



Pi\hBA\ 



l + P2\gBE\ 



- log 1 



1 + Pl 

(91) 
can be 



which establishes dT3l . The expression (TT21 for i? P AB 
established in a similar manner. 

V. Proof of Theorem[3] 



In absence of the discussion channel, we need to transmit 
the public messages during the error-reconciliation phase using 
the same wireless channel. We again use K coherence blocks 
to generate source and channel sequences as in Table U using 
the training and communication phases as in (f66t and ( |67| >. 
Thereafter we use E\ ■ K coherence blocks for generating the 
secret-key from the channel sequences and another e-2 ■ K 
coherence blocks for generating the secret-key from the source 
sequences. Due to this overhead, the total rate achieved is 
scaled by a factor of , , 1 — as in d26l i. 

In the secret-key generation phase we suitably quantize each 
of the channel-state and source sequences to satisfy the rate 
constraint for public messages. We describe the key steps of 
the coding scheme below. 

A. Quantization of Continuous Valued Random Variables 

While our lower bound is stated for continuous valued 
random variables, in the analysis of our coding scheme, we 
follow the approach in ll42l pp. 50, sec. 3.4.1] and assume that 
associated random variables are discrete valued. In particular 
let xb ~ Pxb(') be any continuous and bounded density 
function. We consider an associated quantized version of xb, 
[x B } 3 G {-j A, -(j - 1)A, . . . , (j - 1)A, j A}, with A = 
obtained by mapping xb to the closest quantization point such 
that |[xs]j| < \xb \ holds. Likewise fory^j = hsA[xB]j + r>A, 
let [yA.j]fe be defined in a similar manner. The random vari- 
ables [xA\j and [yB,j]k as well as the variables [uba\r, [uAB]k, 
[vA]k and [vs]k associated with the quantization codebooks 
are defined analogously. As we make the quantization finer 
and finer, the rate using these discrete random variables will 
approach the proposed lower bound with continuous valued 
random variables l42l pp. 65, sec. 3.8]. In what follows, we 
will treat these random variables as discrete valued and use 
the notion of robust-typicality 11421 pp. 25-31, sec. 2.4]. 



B. Codebook Construction 

Suitable quantization codebooks for the source and channel 
sequences are necessary in order to satisfy the rate-constraint 
associated with the wireless channel. Table [TT] illustrates the 
different quantization codebooks used in our coding scheme, 
which are further described below. 

• (Channel Quantization, Node A) C A : We sample 
a total of M% = 2 K ( I ( UBA ' hBA ^ codewords {uf A } 
i.i.d. each of length K, according to a distribution 
Pu BA (-)- These codewords are divided into a total of 
T U A = 2 K ( I ( u z^h B A\h AB )+2e^ bins such that there 

N% = 2 K ^^BA;h A B)-6) co( j eworc j s per bin. 

• (Channel Quantization, Node B) C B : We sample a 
total of M B = 2 K ( I ( u ABif>A B )+e) codewords i.i.d. 



according to a distribution p UAB (•). These codewords are 
divided into a total of T B = 2 K ^^ AB ^ AB \ hBA ^ +2 ^ bins 
such that there are N B = 2 K ( I ( UAB '~ hBA *>~ e ) codewords 
per bin. 

• (Source Quantization, Node A) C\: We sample a total of 
M\ = 2 Ki ~ I{ y A ^ A )+ e ) codewords {vf } i.i.d. according 
to the distribution ps A (-). These codeword are partitioned 
into a total of T V A = 2 K ^^ A ^ A ^ B ^+ 2 ^ bins such that 
there are N V B = 2 K{I ^ A '^ B ^~ £ ^ codewords per bin. 

• (Source Quantization, Node B) C V B : We sample a total of 
M B = 2 K ( I{ y B * B *) + ^ codewords {vf } i.i.d. according 
to the distribution Pv B (')- These codewords are parti- 
tioned into a total of T B = 2 a '( / ( 5 ^I*a.u)+2£) bins such 
that there are N V B = 2 K ^^ B ^ A ^-^ codewords per bin. 



C. Encoding 

• Terminal A finds a codeword u BA £ C A that is jointly 
typical with h BA . It finds the bin index (f> A of u BA and 
transmits it as a public message over the channel. 

• Terminal B finds a codeword u AB £ C A that is jointly 
typical with h AB . It finds the bin index ^ of u AB and 
transmits it as a public message over the channel. 

• Terminal A finds a codeword v A € C A that is jointly 
typical with y A . It finds the bin index ip A of \/ A and 
transmits it as a public message over the channel. 

• Terminal B finds a codeword v B € C B that is jointly 
typical with y B . It finds the bin index ipB of \i B and 
transmits it as a public message over the channel. 

We let Jx denote the error event that either terminal A or 
terminal B fails to find a codeword sequence typical with the 
source sequence and let Ji denote the error event associated 
with the transmission of the public message. 

D. Decoding 

Terminal A, upon receiving 4>b, searches for a codeword 
u AB in the bin-index 4>b £ C B that is jointly typical with 
h BA . It declares an error if none or more than one sequence 
are jointly typical. Terminal A, upon receiving ips, searches 
for a codeword v B in the bin-index %pB € C B that is jointly 
typical with (y A , u K ). It declares an error if none or more than 
one sequence appears to be typical. We define E\ = Pr(u AB ^ 



K 



Terminal B, upon receiving 4> A , searches for a codeword 
u BA in the bin-index 4> A e C A that is jointly typical with h AB . 
It declares an error if none or more than one sequences are 
jointly typical. Terminal B, upon receiving ip A , searches for a 
codeword v A in the bin-index ijj A € C A that is jointly typical 
with (y B , u K ). It declares an error if none or more than one 
sequence appears to be typical. We define £2 = Pr(u BA ^ 



J BA 



E. Error Analysis (Sketch) 

Let £ = £ 1 U £2 U J\ U J2 denote the union of all error 
events. It suffices to show that both and J\ have vanish- 
ing probabilities for i <E {1,2}. Since the total number of 
codeword sequences in C U A equals 2 K ^ I ^ UBA '' hBA ^ l+e \ it follows 
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TABLE II 

Quantization Codebooks for Source and Channel Sequences 



Codebook 


Total Codewords 


Total Bins 


Codewords Per Bin 


Channel Quantization (Node A): C" A 


2K(I{u BA ;h BA ) + E) 


2 K(I(u BA :h BA \h AB )+2e) 


2K(I(u BA ;h AB )-£) 


Channel Quantization (Node B): 


2 K ( I ( U AB i S XB)+E) 


2l<(I(u AB :h AB \h BA ) + 2£) 


2K(I(u AB ;h BA )-e) 


Source Quantization (Node A): C\ 


2 K d"A\VA)+z) 


2 K ( J ( v .4 :y.4 l x B ,u)+2e) 




Source Quantization (Node B): C V R 




2K(J(v £J ;y B |x_ 4 ,u) + 2c) 





from the Covering Lemma ll42l pp. 62, Lemma 3.3] that the 
probability that no jointly typical codeword exists goes to zero 
as K — s- oo. By a similar argument we have that Pr(Ji) — >■ 0. 
Since H((f) A ) < K(I(uba', ^ba^ab) + 2e) and since the rate 
constraint ( f]~8T > is imposed, terminal B decodes <j> A with 
high probability. In a similar fashion it can be argued that 
Pi'(>72) — >• as K —> oo. Since the total number of codewords 
in each bin of C U B is 2 K{I{UAB ^ BA ^~ e 'i it follows from the 
Packing Lemma l42l pp. 46, Lemma 3.1] that terminal A will 
decode {u AB = u AB } with high probability. By analogous 
arguments it can be verified that Pr(£i) —> and Pr(£2) —> 
as K — > oo. 



F. Equivocation Analysis 



Let us define z 



K _ f=K =K 



,zg) and g K = {g^ E ,gi E ). We 



first consider the conditional entropy terrrQ 

H(uJL,<^ Bl vf,vf \(l>A,<l>B,ll)A,ll>B,Z K ,g K ) > 

- H(<t> B ) - H(ip A ) - H{^ B ) (92) 
= H( U K A ,u« B \i K ,g K ) 

+ H(»«,»«\u« A ,u« B ,z K ,g K ) 
-H{cj> A )-H{4> B )-H^ A )-H^ B ) (93) 
= H(u* A , u K AB ) + H(^,^\u§ A , u« B ,z K ,g K ) 

- H(<f> A ) - H{4> B ) - H(^ A ) - Htyg) (94) 

where d94l i follows from the fact that (u BA , u AB ) are inde- 
pendent of (x A ,x B ) and hence (z K ,g K ). 

From the construction recall that <j> A , <$> B , 4>a and i/j b denote 
the bin indices in C A , C B , C\ and C V B respectively. Therefore 

H(<f> A ) < I(u BA ;h BA \h AB ) + 2e 7 (95) 

H((/> B )<I(u AB ;h AB \h BA )+2e, (96) 

H(i> A )<I(v A ;y A \x B ,u) + 2e, (97) 

H(1> B ) </(v B ;y B |x A ,u) + 2 e . (98) 

Thus we need to lower bound the joint-entropy terms in d94l l. 
We use the following Lemma. 

Lemma 1: Consider a triplet of random variables (u,x,y) 
that satisfy u — > x — > y. Suppose that the sequence x" is 
sampled i.i.d. p x (-). Suppose that we generate a set .4 con- 
sisting of M = 2 nR sequences {u n (i)}i<i<M each sampled 
i.i.d. from a distribution p u (-). Given x™ we select an index L 
such that (x™, u n (L)) € TJ l (x, u). If no such index exists we 

'All the expressions are conditioned on the codebook C. We suppress this 
conditioning for sake of convenience. 



select L uniformly at random. If y" is sampled i.i.d. from the 
conditional distribution p y | x ('|')> men 

H(y n \u n (L))>n{H(y\u)+I(x;u)-R- 7n (e))} (99) 

for any R > I(x; u) and for some 7 rl (e) that goes to zero as 
e —> and n — >• oo. 

Proof: See Appendix lAl ■ 



We first lower bound the term H(u 



K 
J BA 



n BA 



,K 



BAi U AB) 



Notice that 

u AB holds. Since u BA and u AB are 



distributed, nearly uniformly on the codebooks C\ and C B 
respectively (see e.g., 1431 pp. 660, Lemma 1]) we have that 

H(u% A ) > K(I(u BA ; h BA ) - y K (s)) (100) 
H(u%) > K(I(u AB ; h AB ) - lK {e)) (101) 

Substituting x = h AB , y = h BA and u = u BA and R = 
I(u BA ; h AB ) + 2e in Lemma[T]we have that 

H(h% A \u% A ) > K [H{h BA \u BA ) - l K (e)} . (102) 

We define the indicator function l e (h BA , u AB , u BA ) to 
equal 1 if (h BA , u AB , u BA ) € T e K and zero otherwise. 
Using the Markov Lemma l42l sec 12.1.1] we have that 
Pr(I(fr§ A , u AB , u BA ) = 1) 1 as K -> oo for every e > 0. 
Hence 



H(h$ A \u% A , »ab) < H(h% A \u% A , uf B ,\) 
< H(h§ A \u§ A , uf B ,I e = 1) Pr(I £ = 1)+ 
H(h£ A \u% A , u% B ,I e = 0) Pr(I e = 0) + 1 
Now consider 



1 



(103) 
(104) 



H(h BA \u BA , u AB , 



= 1) < E 



\og\T £ K (h BA \u^,u^)\ 



K ,.K\ 



< K(H(h BA \u BA , u A b) + 1k{e)) 



(105) 



where the last step follows from the bound on the size of a 
conditionally typical set ll42l pp. 27]. 

Furthermore since Pr(I £ = 0) — s- as K — > oo we have 
that ( 1104b simplifies to the following 

H(hBA\"BA, u ab) < K {H{h BA \u BA , u AB ) + Jk{e)} 

(106) 



We have the following lower bound on H(u BA , u^ B ): 



H(u§ Al UA : B ) = H{u* A \u% B ) + H(u% B ) 



,K 



K 



K 



K 



(107) 



H(u$ A , hU< B ) - H(h% A \u$ A , uf B ) + Hiu 1 ^) 



(108) 



> H(h% A \u% B ) - H(h BA \u BA , u% B ) + H(u% B ) (109) 

> K |/(/?ba; u B a\uab) + I{hAB\ u A b) ~ 7at( £ )} (H°) 
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= K {l(h BA ; u BA )+I(h AB ; u AB )-I(u BA ; u AB )-3j K (e)\ 

(111) 

where we use ( 1102b and ( 1106b in ( 11 10b . 



Now consider 

-.K r.K\..K ,,K -K K 



> H(v%, vf \u§ A , uf B ,z K , g K , h K AB , h K BA ) (112) 
= ^fl^zf ,Sbe) + H(^b Kb^a iSae) (H3) 



where (II 12b follows from the fact that conditioning reduces 
entropy and (II 13b follows from the fact that (x^,x||) are 
generated mutually independently and hence the associated 
Markov chain holds. We lower bound each of the two terms 
in (fTT3l 



H(v$\h% A ,i%,g§ E ) 

= H(hK A ,^,gK E \9$) + Hffi)-H{h* A ,iK,gK E ) 

= H(h% A ,i%,gg E \yiZ) + H(vZ) - KH(h BA ,z B ,g BE ) 

(114) 

> **(h BA , z B , g BE \v A ) + 

KI(\, A ; y A ) - KH(h BA , z B , g BE ) ~ K lK {e) (115) 



> K<^H(h BA ,z B ,g BE \\i A ) + 

I(vA]yA) - H(h BA ,z B ,g BE ) - 7A'(e)| (H6) 
= K{I(\i A ;y A ) - I(v A ;z B , h BA ,g BE ) - -f K (e)} (117) 

where (II 14b follows from the fact that (h AB , z B , g BE ) are 
sampled i.i.d. and (II 15b follows from the fact that v A is 
distributed nearly uniformly over the set C\ (see e.g., l43l 
pp. 660, Lemma 1]) and dl 16b follows from Lemma Q] 
by substituting u = v A , y = (h BAl z B , g BE ), x = y A and 
R = I(y A ; v A ) + 2s. In a similar manner we can show that 

H ( v B\ h AB, z A,gAE) 

> A'{/(v B ;y B ) - I(v B ;z A ,h AB ,g A E) - 7Jf( e )} (H8) 
Substituting (|95]l-<|98]l, dTTH . dTTTJi and (TTTgl into <H§ we 



have established that 



1 



-H(u^ A , u^ B ,^,^\(b A ,^ B ,^ A ,^ B ,z K ,g K ) > 



I(h AB ; u BA ) + I(h BA ; u AB ) - I(u BA ; u AB )^ 
I(v B ;x A , u) - 7(v B ; h AB ,g AE ,z A )+ 
I(v a ;x b ,\a) - I(\i A ;h BA ,g BE ,z B ) -j K (e). 
Now observe that 



(119) 



I(v B ;x A , u) - J(v B ; h AB ,g AE ,z A ) 

= I(\i B ;x A , u) - J(v B ; h AB , g AE , z A , u) (120) 

= H(\i B \h AB ,g AE ,z A , u) - H(v B \x A ,u) 

- (T - 1) {H(v B \h AB ,g AE ,z A , u) - ff(</ B |x A) u)} (121) 

= (T — l){/(\/ B ;xA,u)-/(\/ B ;/)A B ,gA£;,^4,u)} 

= (T-l){I(v B ;x A ,u)-7(vs;/iAi3,^B,^A)} (122) 

where (1121b follows from the fact that x A <E C T_1 is sampled 
i.i.d. p XA (-) ( 1120b and (1122b follow from the fact that u -> 
(zA; gAE, hAB) -> ys -> v B holds. 



In a similar way we can show that 

/(VA; X B , u) - i"(vA! h BA ,g B E, zb) 

= (T -l){I(v A ;x B ,u)- I(v A ;h AB ,g BE ,z B )} (123) 

By substituting (1122b and (1123b into ( 1119b we have that 
1 



-A (u£ A , U^ B , , flj i> A , i> B , Z K ,g K )> 

^ {/(/jab; uba) + I(hBA\ uab) - I{uba; uab)} + 
(T - 1) 

{I(v B ;x A , u) - J(v B ; h AB ,g AB ,z A )} + 
{I(v A ;x B ,u) - I(v A ; h AB , g BE , z B )} -f K (s) 



T 

(T-l) 



T 

Acq - 7if ( £ ) 



(124) 



G. Secret-Key Generation 

It remains to show that a secret-key can be generated at 
the legitimate terminals that achieves a rate R cq in (1124b and 
satisfies the secrecy constraint. 

We consider M i.i.d. repetitions of the coding scheme in 
the previous section. Let 



O 



M 



(V 



M-K ..M-K ,,MK ,,M-K 
! V B > U AB J °BA 



(125) 



denote the common sequence at the legitimate terminals after 
M such repetitions. Note that M is sampled i.i.d. from the 
joint distribution p(v A , v B , u AB , u BA ), Similarly let 



(126) 



denote the observation sequence at the eavesdropper which is 
also sampled i.i.d. and furthermore from (1124b we have that 



lff(0|T) > R cq - lK , 



(127) 



Given the common sequence M at the legitimate receivers 
and the sequence T M at the eavesdropper, sampled i.i.d. from 
a joint distribution, for any rate R < iJ(0|T) and 5 > 
there exists a secret-key codebook (see e.g., l42l sec. 22.3.2, 
pp. 562-563]) such that the secret-key k satisfies 

lim ——H(k)>(R-6), lim — — I(k; T M ) < 5. 

Furthermore for each Af, by selecting K sufficiently large, 
we can make jj^ E sufficiently small and also guarantee that 
the error probability in decoding M goes to zero. Thus we 
can achieve a secret-key rate arbitrarily close to R cq . This 
completes the proof of our lower bound. 

H. Proof of PropM 

We evaluate the rate expression in Theorem [3] for jointly 
Gaussian input distribution. Recall that h AB and h BA are 
the MMSE estimates of the channel gains h AB and h BA 
respectively. Hence we can decompose, 



h A B = h A B + e A B j h B A = h BA + e BA 



(128) 



where h AB ~ CAf(0,a), h BA ~ C7V(0, a) are the estimates 
and s AB — CAf (0,1 - a), e E A ~ CM (0,1 - a) are the 
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estimation errors and where a = pr^pj. For the test channels 
in ( f24b we can show the following: 



I(uab; ^ab) = I{uba; ^ba) 



log 1 



o 



( a 2 p 2 

I{ u ab; h B A)=l(uBA; h A B)= -log I 1 - 1+Ql 



I{uab; ^ab) - I{uab; h B A) 
a(l-aV) 



(129) 
(130) 



log 1 



Qi 

= I{uba\ ^ba) - I{uba\ ^ab) 
I{u A b; u B a) = -log I 1 



Qi 



r 

7 



(131) 
(132) 



Substituting in (Q3]), (17]) and ([Tg]) we have that 



Rl=—{ I{UAB] h B A)+I{uBA] h AB )~I(UAB] U B a) 



( <*V 
T j-21og h- 



Qi 



hlog 1 - 




where Qi is selected to satisfy: 

a(l - a 2 p 2 ) 



log 1 



Qi 



< £l (T-l)i? NC (P). 



(133) 



(134) 



We next obtain expression for R BA using the test chan- 
nel ||25}. 

^BA = I(v A ;XB, U A B, U B a) ~ I{VA\ ^AB , Z B j SBe) (135) 

= h(v A \h A B,z B ,gBE) - h(v A \u A B, u B a,xb) (136) 
we bound each of the two entropy terms as follows. 



h{vA\hAB,ZB,gBE) 



E 



log l + Qi 



Pi\h B A\ 



l + P2\g BE \ 2 

and furthermore 

h(v A \u AB , u B a,xb) 

< h(hBAXB + Qba + Hba) 

< log (a 2 AB P 2 +Q 2 + l)+ log(2^e) 

where 

flBA = ^ba — ^ba 



(137) 

+ log(27re) (138) 



(139) 
(140) 



is the error in the MMSE estimate of h B A given (uab, Uba) 



and a 2 AB is the associated estimation error 



(Tab = e K"ab ~ h AB ) 2 ] 



(141) 



The upper bound in d 1 40| > follows from the fact that a Gaussian 
input maximizes the differential entropy for a given noise 
variance. The expression in (f30b follows by substituting d 1 38b 
and ( 11401 ) into ( 11361 ). In a similar way we can establish < T3~TT ). 



The rate constraint in ( 1221 and d23l follow by substituting (251 ) 
into 



Note that 



I(y A ;y A \x A , uab, uba) < £2Risc(P)- 

I{y A ;y A \x A , uab, u B a) 
= h(v A \x A , u A B, u B a) ~ Hqba) 

Qi 



< log l 



(142) 

(143) 
(144) 



The expression (03) follows from (fT42l and (fT44b . 

Finally the bound on a AB in (l32b is obtained as follows 

g \b = E[{hAB - ^ab{uab, uba)) 2 ] 

2 

< E[(h AB - h AB (uAB)) 2 ] < 1 
This completes the proof of Prop. [2] 



Qi + a 



(145) 



VI. Proof of CorollaryQ] 

We establish (l35T l and (136*1 ) respectively. 
We consider the expression for R + in Theorem Q] and show 
that 

1 ;log(l-p 2 )+ 7 (146) 



lim R+ 

P-s-oo 



T 



where 7 is defined in (1371 . In particular note that the first 
term in d3} is independent of P and furthermore since /^b 
and hsA are jointly Gaussian, zero mean, unit variance and 
with a cross-correlation of p it can be readily shown that 

I(h A B;h BA ) = -log(l-p 2 ). (147) 

Only the second and third terms depend on P. For any power 
allocation P(Iiab) note that 



E 



log 1 



P(h A B)\hAB\ 2 

l + P(h AB )\gA E \ 



< E 



log 1 



\h A i 



\gAE I 



(148) 



which follows since the function f(x) = jrfj; is increasing 
in x for any a, 6 > 0. Similarly we have 



log 1 



P(h 



BA "BA 



1 + P(h BA )\gB E \ 



< E 



'BA 



\gBE\ 



(149) 



Furthermore since a Gaussian input distribution maximizes the 
conditional mutual information (c.f. d55ll). the upper bound 
follows by substituting ( 1148b and (11491 ) into 
We next show that, 



1 - 2, T-l 



lim i? pD = --log(l-p 2 ) 

P— >oo 1 



T 



-7- 



(150) 



In particular we consider the secret-key rate expression (fTol 
in Prop. Q] We select P 2 = ^ and P i = P ~ V 7 ^- Note 
that as P — >• 00 we have that P\,P2 — > 00 and ^ — > 0. In 
particular, since a = p^b[ we have that 



lim 

Pl->oo 



lim log 1 + - 

P^co \ 1 



log(l-aV) = -log(l-p 2 ), 
P2 



Pi 



= 0. 



(151) 
(152) 
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1+bx 



is bounded for all 



Furthermore since the function f(x) 

a, b > we can apply the Dominated Convergence Theorem, 



lim E 

P 2 ->oo 



lim E 

P 2 ->oo 



log 1 



Pi\h A i 



log 1 



l+P2\g AE \ 2 

P2\h BA \ 2 

l+P2\g BE \ 2 



--E 



--E 



log 1 



log 1 



\h A i 



\gAE\ 



(153) 



\gBE\ 



(154) 



Substituting ( TBB , dT52b , ( fT53l , ( TBI into (T0j, <HB, CGK 
( Ti"3l we recover ( 1150b . Comparing ( 1150b and ( 1146b we estab- 
lish (Ell. 

To establish (|36"1 ) we consider d26l ) in Prop. |2] and show that 
with a suitable choice of Qi, Q2, Pi and P2 we have that 



lim R = -~ log(l - p 2 ) + -^7- 

P— foo J 



In particular we select P2 
Furthermore we select 



T 

^ and Pi 



P 



Qi = 



Q2 = 



q(l - a 2 p 2 ) 
i(T-l)P NC (P) 
1 



(155) 
- n/P. 

(156) 
(157) 



£ 2 -Rnc(^) 

Note that as P — > 00, it is well known that R^q{P) — > 00. 
Thus we can let £1 and £2 to be any functions of P such that 
ei(P),e 2 (P) -> and e l (P)P N c(P) -> 00. Then observe 
that Qi, Q2 — > as P — > 00 It therefore follows that 



lim P/(ei,P) 

P— >oo 



lim log 1 

P->oo 



^log(l 

1 + 02 



= 0. 



and hence we have 
lim R 

P->oo 



AB 



lim R 

P^c 



BA 



E 



E 



log 1 



|/7AP| 2 
\gAE\ 2 

\h BA \ 2 

\gBE\ 2 

By substituting ( 1158b . ( 11601 ) and ( 11611 ) into 
tain (11551). 



log 1 



(158) 
(159) 

(160) 

(161) 
we ob- 



VII. Conclusion 

We study secret-key agreement capacity over a two-way, 
non-coherent, reciprocal, block-fading channel. Our main ob- 
servation is that a separation based scheme that judiciously 
combines channel-training and randomness-sharing techniques 
is an efficient approach when the coherence block length is 
large and the high signal-to-noise is high. Numerical results 
indicate that even when the overhead of transmitting public 
messages is accounted for, the proposed scheme outperforms 
a idealized training-only schemes for moderate SNR and 
relatively small coherence block-lengths. These observations 
suggest that when the channel fluctuations are relatively slow, 
one should not rely on channel reciprocity alone for secret-key 
generation. We also establish an upper bound on the secret-key 
agreement capacity and show that the upper and lower bounds 
coincide asymptotically. 



In terms of future work a number of interesting directions 
remain to be explored. The secret-key agreement capacity in 
the low signal to noise ratio regime remains to be studied. 
Potentially improved upper and lower bounds for moderate 
SNR may be also obtained. While our upper bound and lower 
bounds naturally extend to the case of multiple antennas 
a detailed analysis is left for future work. We note that 
some preliminary investigation along these lines has appeared 
in HI. 

Appendix A 
Proof of LemmaU 

We lower bound the conditional entropy term as follows 

H(y n \u n (L)) = H(y n ,x n \u N (L)) - H(x n \y n , u n (L)) 

(162) 

> H(y n ,x n ) - H(u n (L)) - H(x n \y n , u n (L)) (163) 
= nH(y,x) - H(u n (L)) - H(x n \y n , u n (L)) (164) 

> nH{y,x) -nR- H(x n \y", u"(L)) (165) 



where ( 1164b follows from the fact that (x",y") are sampled 
independently of A and ( 1165b follows from the fact that \A\ = 
2 nR . It only remains to upper bound the conditional entropy 
term in ( 1165b . Let 1 £ > denote an indicator function that equals 1 
if (x n ,y n , u n ) £ T™,(x,y, u) and equals zero otherwise. From 
the conditional typicality lemma we have that Pr(I e / = 1) — >• 1 
as n — > 00, for any e' > e. 



H(x n \y n , u N (L)) < 1 + H(x n \y n , u N (L), I) 



(166) 



= 1 + H(x n \y n , u N (L), I = 1) Pr(I = 1) 

+ H{x n \y n , u N (L),I = 0) Pr(I = 0) (167) 

< 1 + H(x n \y",u N (L),l = 1) + nPT(x) Pr(I = 0) (168) 

< l + Bpog|7?(x|u n ,y n )|] +n!f(x)Pr(I = 0) (169) 

< 1 + nH(x\u,y) + 717(e) + n-/ n (e) (170) 

where we use the fact that for any e > 0, Pr(I = 0) — > 
as n — > 00 in (1168b . which follows since R > I(x; u). 
Combining ( 1165b and (1170b we get 

H(y n \u n (L)) > n{H{y,x) - H{x\y, u)-R- 7n (e)} 

(171) 

= n {H(y\x) + H(x) - H(x\u) + I(x; y\u) — R — 7 „(e)} 

(172) 

- n {H(y\u) + I(x; u) - R - 7 „(e)} , (173) 
where the last step uses the fact that u — > x — > y. 
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